May 12th, 2008 • 8:39 pm
I am afraid it looks like there have been repeated attempts to hack Betalogue in recent weeks. I actually now believe that the weird admin user reset problem I described a couple of months ago was the first manifestation of the hacking attempts.
Since then, in addition to repeat occurrences of the admin user reset, I have experienced a range of other issues with my web site, all of which have been invisible to Betalogue readers as far as I can tell. I won’t describe them in full detail here. I am sure that the issues are due to hackers, however, because of the appearance of files in my WordPress directory that I never installed there myself, which clearly bear the mark of either human or automatic hacking. (The Russian credits leave little to the imagination.)
I don’t quite know how “they” were able to go as far as to modify files and add new files, and why they didn’t use this ability to inflict greater and more visible damage. Apparently, based on my research, the problem had to do with something called “SQL injection”—although I have yet to find a page that clearly describes this as a known vulnerability in my version of WordPress, with exploits causing the symptoms that I have been experiencing, and with a clear requirement to upgrade to a newer version. (These search results certainly seem to indicate that it is a recurrent problem with WordPress.)
Still, I have taken a range of measures which I hope will eliminate the problem.
I have changed all the passwords involved (FTP/SSH password, WordPress password, MySQL password). I have removed the files that did not belong and replaced existing files that appeared to have been edited with the original local copies. And most important, I have upgraded to the latest version of WordPress.
I somewhat naively assumed that I was using a “stable” version of WordPress (220.127.116.11, I think) and did not feel the urgent need to keep up-to-date with the latest versions of the blogging software. But I now realize more clearly that server-based software follows rules that are quite different from desktop software, in that security issues are much more crucial and you cannot count on older versions of the software staying immune forever, quite the contrary.
As with other types of software, new versions come with new features, but also with bug fixes and security fixes that are not necessarily implemented in older versions. Since server-based software is permanently “exposed,” however, this means that existing vulnerabilities in older versions will be exploited sooner or later, and so, if you want to remain up-to-date in terms of security, you simply have to upgrade the software.
Fortunately, upgrading WordPress from 1.5.x to the latest version was quite painless. I have probably lost a few minor customizations along the way, but nothing vital, and I will work to restore those, if necessary or desirable, over the coming weeks.
My priority right now, however, is to determine whether the upgrade does eliminate the vulnerability. I won’t know for sure right away, because the hacking attempts, as far as I can tell, have been episodic, with weeks passing without incident. It just so happens that there was another one today and that I actually noticed problems while it was happening. (At least, that’s what I believe.)
As an additional precaution, I have closed new user registrations for now. This means that only existing users can post comments on blog posts. If new users want to comment at this point, they’ll have to write to me. I’ll decide later on if I want to take a chance and reopen user registration.
It’s rather sad that this type of problem exists in the first place. Based on the fact that the hacking attempts did not actually damage the site and only left anonymous code in places on my server, I tend to think that this was the work of some kind of automatic bot scanning the web for exposed vulnerabilities, and not the work of an actual, malicious hacker. (I don’t think it was the work of a “friendly” hacker trying to warn me about existing vulnerabilities on my site either!)
But it is still profoundly annoying and disturbing, especially in light of the fact that I hardly write about highly controversial issues or have a high-profile blog—although one never knows. It’s a crazy world out there.
I also sincerely hope that this hacking has not exposed any user-related data. I have no way of knowing for sure. I obviously want to apologize for any inconvenience that this hacking may have caused for registered Betalogue users. I realize that, by registering on Betalogue, you entrusted me with some private information and that, by failing to sufficiently protect my site from potential security risks, I may have exposed some of this information. Like I said, I may have been a bit naive about the reliability of the WordPress software that I was using, and this incident certainly has been a lesson for me. (If you are concerned about the on-going privacy of your login information, you might want to use your profile page to change your password.)
If all these measures fail to remedy the situation and Betalogue continues to experience hacking attempts, I will obviously have to take things to the next level, either with my host or with WordPress developers. I will certainly keep you posted if there are any new developments. If you notice anything on Betalogue that does not seem right, please do not hesitate to contact me privately using the link in the side bar.